Search results

Conformio roles

Please note that at any moment using Conformio you can click in the “Company setting” option in the left panel of your screen and access the link to “Job titles” to find a set of suggested roles to be included in your ISMS according to your needs (Company main executive, Information technology, Information security, Finance, Compliance, Marketing, Legal, Human resources, Office management, and Procurement).

For small companies, you should define at least the Company's main executive and Information security roles. For bigger companies, the roles to be selected will depend on the defined scope. In the case of a bigger company where all company is included in the Information Security scope, maybe you should use all roles. 

An intermediary approach should consider the roles of the Company's main executive, Information technology, Information security, Finance, and Human resources, because they in general cover the most part of the scope. E.g., the HR roles can be responsible for employee’s training and awareness, Finance can be responsible for evaluating and approving security expenses.

Help with certification

From our experience, some companies decide to host files on a server managed by the department that is included in the ISMS scope, but that in most cases companies use cloud services like Google Drive, Dropbox or SharePoint.

For further discussion, you can schedule a meeting with one of our experts.

Register of Requirements and scope

To identify in the register of requirements module which requirements would be applicable to the cloud service host, in the field “To what area is this requirement related?” you need to select the option “Managing security with suppliers and partners”. Additionally, you can write this information in the description field, together with the description of the requirement.

This way, it would be clear that the requirement is applicable to the cloud host.

Please note that when you define that something is in the scope, you can only “let it for later” if you accept all risks related to that element in the scope.

Controls in the SoA that so not show up in the Risk Assessment

You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:

• it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
• it is required by top management as a good practice

NPI project for IATF

In the new product introduction process (NPI), you should comply with the requirements of clause 8.3 of the IATF 16949:2016 standard. All requests on this subject are specified in sub-items 8.3 and 8.3.

I have listed a few conditions that should be followed on this subject below, but I recommend that you review these relevant articles in detail.

• If you are designing products, design FMEA
• Process FMEA
• Control Plan
• Project Plan
• Feasibility analysis
• Design validity test plan and tests
• Prototype control plan
• Product and process validation records
• MSA and SPC studies
• All PPAP requests
• Customer-specific requirements about it, etc.

• Handling termination and change of employment

  The handling of termination and change of employment can be found in the Statement of Applicability Module, in the Implementation method for control A.6.5 (in case this control is marked as applicable).

  The implementation method in the SoA describes how the company will handle termination and change of employment (a text is suggested, but you can edit it according to you needs).

  In general, conditions that remain valid after the termination or change of employment are defined in the agreements with suppliers and partners, and in the confidentiality statements signed with employees. The clauses for this purpose can be found in the template Security Clauses for Suppliers and Partners. You can find this template in Conformio by clicking the link Documents in the left panel, then clickling in "Templates for Manual Editing".

  For further information, see:

  • What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

  • Risk/ Supplier - what happens if a supplier ceases trading.

    Yes, you are right. If the manufacturer goes bankrupt and you do not have support for the product, you have to see the risk that something with the medical device went wrong, how can you answer to your client. This means that if you have some simple product that you do not have so far complaints, maybe you can sell this kind of medical device until the certificate expires. However, if your medical device is complex, needs service or installation, or has some complaints where you have to ask for a spare device from the manufacturer, it will be very hard for you to sell that product further on.  

  • ISO 14001 How to define environmental aspects

    “Finding: the normal, abnormal, and foreseeable emergency situations related to the aspect defined within the Environmental Aspect and risk register has not been defined.”

    When implementing an Environmental Management System, we must determine the environmental aspects associated with activities, products, and services, taking into account, to the extent reasonable, the life cycle perspective..

    Environmental aspects should be determined considering situations of normal operation, abnormal operation, and emergencies.

    I will consider a brick manufacturer for construction as an example.

    Examples of Normal Environmental Aspects:

  • Raw Material Consumption: The extraction and use of raw materials such as clay, sand, and water in brick production can impact local ecosystems and deplete natural resources.
  • Energy Consumption: The energy used for firing and drying bricks can contribute to greenhouse gas emissions and air pollution.
  • Air Emissions: Dust, particulate matter, and gases released during the firing process can affect air quality in the vicinity of the manufacturing facility.
  • Water Consumption and Discharge: The consumption of water in brick production and the discharge of wastewater can impact local water resources and aquatic ecosystems.
  • Waste Generation: The production process generates waste materials such as broken or defective bricks, which need proper management to minimize environmental impact. 

  Examples of Abnormal Environmental Aspects:

  • Equipment Malfunctions: Malfunctions of machinery or kilns could lead to increased emissions, energy waste, and potential safety hazards.
  • Spillage or Leakage: Accidental spillage of raw materials, such as clay or chemicals, can contaminate soil and water sources
  • Workplace Incidents: Accidental releases of dust, particulates, or other pollutants due to equipment failures or human errors could occur.
  • Noise Generation: Increased noise levels due to malfunctioning equipment can impact the surrounding community and wildlife. 

  Examples of Emergency Environmental Aspects:

  • Fires: Fires in kilns, storage areas, or other parts of the facility could lead to air emissions, release of hazardous substances, and potential danger to employees and nearby communities.
  • Chemical Spills: Accidental spills of chemicals or fuels used in the manufacturing process can lead to soil and water contamination.
  • Power Outages: Power outages could disrupt operations and result in issues such as incomplete brick firing or increased emissions upon restarting.
  • Natural Disasters: Natural events like earthquakes, floods, or hurricanes could damage facilities, disrupt operations, and lead to potential environmental contamination.
  • Structural Failures: Failures in storage structures, kilns, or other equipment could result in spills, emissions, and other environmental impacts.

  It's important for the manufacturer to identify and assess these environmental aspects and develop appropriate measures to mitigate potential negative impacts. This includes implementing pollution prevention strategies, disaster preparedness plans, and emergency response procedures to ensure the protection of the environment and the safety of employees and the surrounding community.

  You can find more information on the following links:

  • Catalogue of environmental aspects - https://advisera.com/14001academy/knowledgebase/catalogue-of-environmental-aspects/
  • Environmental aspect identification and classification - https://advisera.com/14001academy/knowledgebase/environmental-aspect-identification-and-classification/
  • How does product life cycle influence environmental aspects according to ISO 14001:2015? - https://advisera.com/14001academy/blog/2016/03/21/how-does-product-life-cycle-influence-environmental-aspects-according-to-iso-140012015/

  • Calibration and Testing

    ISO 17025 is applicable to all testing and calibration laboratories.

    For flow meter calibration, this will include specifying the specific type of fluids and range in the scope – e.g. Water, Air, Liquid Carbon Dioxide (CO2).
    For storage tank calibration, you would include the service and type of tanks that are being measured (volume or dimensions), plus calibration technique and procedure must be specified – e.g. volume and density of Industrial volumetric equipment and bulk storage tanks using Scanning length measurement.

    Depending on the country and industrial sector, there may be additional requirements. For example, the American Petroleum Institute. 

    For more information on ISO 17025 refer to  Advisera ISO 17025 – Where to Start? at https://advisera.com/iso-17025/